DOCSLIB.ORG

A Closer Look at PKI: Security and Efficiency

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

A Closer Look at PKI: Security and Efficiency Alexandra Boldyreva1 and Marc Fischlin2 and Adriana Palacio3 and Bogdan Warinschi4 1Georgia Institute of Technology, USA. [email protected] 2Darmstadt University of Technology, Germany. [email protected] 3Bowdoin College, USA. [email protected] 4University of Bristol, UK. [email protected] April 13, 2007 Abstract In this paper we take a closer look at the security and efficiency of public-key encryption and sig- nature schemes in public-key infrastructures (PKI). Unlike traditional analyses which assume an “ideal” implementation of the PKI, we focus on the security of joint constructions that consider the certification authority (CA) and the users, and include a key-registration protocol and the algorithms of an encryption or a signature scheme. We therefore consider significantly broader adversarial capabilities. Our analysis clarifies and validates several crucial aspects such as the amount of trust put in the CA, the necessity and specifics of proofs of possession of secret keys, and the security of the basic primitives in this more complex setting. We also provide constructions for encryption and signature schemes that provably satisfy our strong security definitions and are more efficient than the corresponding traditional constructions that assume a digital certificate issued by the CA must be verified whenever a public key is used. Our results address some important aspects for the design and standardization of PKIs, as targeted for example in the standards project ANSI X9.109. 1 Introduction Public key cryptography implicitly relies on the existence of a public-key infrastructure (PKI), where each user has a pair of public and secret keys for the cryptosystem, and that this association is publicly available. The designers of public-key cryptosystems always define how the public and the secret keys are generated and used, but almost never carefully specify how the binding between keys and user identities takes place. The tacit assumption is that this binding is established a priori through PKI management operations. 1.1 Motivation The policies and the procedures regarding PKIs are continuously changing and detailed descriptions are invari- ably long and tedious.1 Unfortunately, existing literature still does not answer several important questions. 1See for example the document that describe the current state-of-the-art: ”Internet X.509 Public Key Infrastructure – Cer- tificate Management Protocol (CMP)” [1]. What exactly is the certification authority (CA), the entity that links public keys to identities, trusted not to do? Can and should some degree of security be ensured even when the CA is malicious or becomes com- promised? Proofs of possession (POP) —in which a user proves possession of the secret key when registering a public key with the CA— are a defense mechanism for protecting against rogue-key and key-substitution attacks, but what exactly should they be and, more importantly, are they really necessary? A question that is perhaps even more important is whether provably-secure encryption and signature schemes are indeed secure when used in a particular PKI. Although it is largely believed to be the case, the question is far from moot since most existing schemes are analyzed in settings where compositional aspects are neglected. In particular, the security of the combination of a key-registration protocol with existing encryption or signature schemes does not immediately follow from the security of the individual components. In principle, by cleverly combining its ability to attack the key-registration protocol and its ability to attack the primitive (encryption or signatures), an adversary could mount a successful attack against the joint construction. Limitations of security analyses that do not explicitly include the behavior of the CA or the key-registration protocol have been previously pointed out in other contexts. In the case of key exchange, Shoup [40] suggests that registration of public keys should be considered explicitly as part of the key agreement protocol to be analyzed. Kaliski [26] exemplifies the importance of such measures by presenting unknown key-share attacks on the MQV key exchange protocol [33]. These attacks could have been discovered with a thorough analysis that considers the CA as an active party participating in the protocol. We review further related work at the end in Section 6. 1.2 Contributions In this paper we initiate a study of PKIs with respect to security of the two most important public-key primitives: encryption and digital signature schemes. Our main motivation is to answer the questions raised above and other related issues. Models. Security arguments in the absence of rigorous models do not provide strong security guarantees, and such models are conspicuously absent in the case of PKIs. Our first contribution are rigorous definitions for primitives when used in this setting together with appropriate security notions. The inherent complexity of the PKI settings, the non-typical adversarial powers, and the difficulty of precisely identifying the situations that constitute a security breach make the design of such models an entirely non-trivial task. Since security goals depend on the primitive used, we treat the cases in which keys are used for encryption and for signing separately. Specifically, we define two primitives, called certified encryption and certified signature schemes, and for each primitive we define a notion of security. Besides the standard algorithms for encryption and signing, we model explicitly interactive protocols for registering the public keys with a CA. Consequently, our security notions are against an adversary with broad capabilities that take into account threats arising from the key-registration protocol, possibly run concurrently, the presence of several parties, including the users and the (possibly corrupt) CA. The details are in Sections 2, 3 and 4. Our security definitions are general and powerful. The models we propose directly capture settings where users have multiple public keys, and where keys have additional attributes, such as an expiration date. They easily extend to handle hierarchical certification and certificate revocation. Moreover, while we capture the original goal for which PKI was invented we make flexible assumptions on how certification is achieved. In particular, schemes that aim at achieving certification but avoid the original mechanism of explicit certificates specific to the traditional PKIs (e.g. schemes similar to those in [20, 2]) can still be analyzed in our models. We provide a detailed discussion in Sections 3 and 4. The design of our models in general and that of the security goals in particular are motivated by the “core” properties of the primitives, namely, confidentiality for encryption and integrity and authenticity for signatures. For protocols in which encryption schemes or signatures are used beyond these basic properties, e.g., encryption schemes used as commitments, additional analysis in light of the new goals is required. Yet, our attack model should be easily transferable to those scenarios, and only the security definitions would need to be adapted. Analysis of Traditional Schemes. Next we focus on constructions that satisfy the proposed notions of security. We start with an analysis of “traditional” certified encryption and certified signature schemes. In these constructions, the CA uses a signature scheme to issue digital certificates, and then parties produce 2 ciphertexts (resp., signatures) using a standard encryption (resp., signature) scheme. These schemes are defined in detail in Sections 3 and 4, respectively. Although it seems folklore that the traditional approach is “secure”, to the best of our knowledge no formal validation in a sound model with respect to clearly expressed security goals has been devised prior to our work. We offer a rigorous analysis that shows that these schemes are indeed secure in the appropriate security model we design. Our proof gives concrete security bounds that support recommendations for practical parameter choices. While expected, these results are important to increase confidence in the use of the schemes and allow to make security statements based on solid foundations. Our concrete security results are in Sections 3 and 4. The results that we obtain regarding the design of proofs of possession are less expected, if not surprising. Our investigation shows that formal proofs of knowledge are not necessary for basic security of the certified encryption and signature schemes, and that simpler challenge-response protocols suffice. For signatures, the user simply signs a distinct message2 provided by the CA. Perhaps surprisingly, we show that for basic encryption no proof of possession is required. Intuitively, in the case of encryption, this means that data privacy is not compromised if a user does not have the secret key associated to the public key it registers. We note that these results do not eliminate the proof-of-knowledge requirements imposed on these primitives in other settings (e.g., [4, 10, 9, 23, 31, 35]) and only concern the security of certified encryption and signatures. More efficient constructions. Since our models do not require that solutions use explicit certificates as in the traditional constructions, it is natural to ask if it is possible to obtain improvements over the traditional solutions, e.g., in terms of efficiency. We answer this question affirmatively. We present more efficient constructions for certified encryption
Recommended publications
  • Implicit and Explicit Certificates-Based Encryption Scheme Tomasz Hyla, Witold Maćków, Jerzy Pejaś

    Implicit and Explicit Certificates-Based Encryption Scheme Tomasz Hyla, Witold Maćków, Jerzy Pejaś

    Implicit and Explicit Certificates-Based Encryption Scheme Tomasz Hyla, Witold Maćków, Jerzy Pejaś To cite this version: Tomasz Hyla, Witold Maćków, Jerzy Pejaś. Implicit and Explicit Certificates-Based Encryption Scheme. 13th IFIP International Conference on Computer Information Systems and Industrial Man- agement (CISIM), Nov 2014, Ho Chi Minh City, Vietnam. pp.651-666, 10.1007/978-3-662-45237- 0_59. hal-01405660 HAL Id: hal-01405660 https://hal.inria.fr/hal-01405660 Submitted on 30 Nov 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License Implicit and Explicit Certificates-based Encryption Scheme Tomasz Hyla1, Witold Maćków1, Jerzy Pejaś1, 1 West Pomeranian University of Technology, Szczecin Faculty of Computer Science and Information Technology, Poland {thyla, wmackow, jpejas}@zut.edu.pl Abstract. Certificate-based encryption (CBE) combines traditional public-key encryption and certificateless encryption. However, it does suffer to the Denial of Decryption (DoD) attack called by Liu and Au. To capture this attack, they introduced a new paradigm called self-generated-certificate public key cryptog- raphy. In this paper we show that the problem of DoD attack can be solved with a new implicit and explicit certificates-based public key cryptography paradigm.
  • Towards a Hybrid Public Key Infrastructure (PKI): a Review

    Towards a Hybrid Public Key Infrastructure (PKI): a Review

    Towards a Hybrid Public Key Infrastructure (PKI): A Review Priyadarshi Singh, Abdul Basit, N Chaitanya Kumar, and V. Ch. Venkaiah School of Computer and Information Sciences, University of Hyderabad, Hyderabad-500046, India Abstract. Traditional Certificate- based public key infrastructure (PKI) suffers from the problem of certificate overhead like its storage, verification, revocation etc. To overcome these problems, idea of certificate less identity-based public key cryptography (ID-PKC) was proposed by Shamir. This is suitable for closed trusted group only. Also, this concept has some inherent problems like key escrow problem, secure key channel problem, identity management overhead etc. Later on, there had been several works which tried to combine both the cryptographic techniques such that the resulting hybrid PKI framework is built upon the best features of both the cryptographic techniques. It had been shown that this approach solves many problems associated with an individual cryptosystem. In this paper, we have reviewed and compared such hybrid schemes which tried to combine both the certificate based PKC and ID-based PKC. Also, the summary of the comparison, based on various features, is presented in a table. Keywords: Certificate-based PKI; Identity-based public key cryptography (ID-PKC); Hybrid PKI 1 INTRODUCTION Public key infrastructure (PKI) and public key cryptography (PKC) [12] plays a vital role with four major components of digital security: authentication, integrity, confidentiality and non-repudiation. Infact, PKI enables the use of PKC through key management. The ”efficient and secure management of the key pairs during their whole life cycle" is the purpose of PKI, which involves key generation, key distribution, key renewal, key revocation etc [11].
  • DRAFT Special Publication 800-56A, Recommendation for Pair-Wise Key

    DRAFT Special Publication 800-56A, Recommendation for Pair-Wise Key

    The attached DRAFT document (provided here for historical purposes) has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-56A Revision 2 Title: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography Publication Date: 05/13/2013 • Final Publication: https://doi.org/10.6028/NIST.SP.800-56Ar2 (which links to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf). • Information on other NIST Computer Security Division publications and programs can be found at: http://csrc.nist.gov/ The following information was posted with the attached DRAFT document: Aug 20, 2012 SP 800-56 A Rev.1 DRAFT Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision) NIST announces the release of draft revision of Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. SP 800-56A specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes. The revision is made on the March 2007 version. The main changes are listed in Appendix D. Please submit comments to 56A2012rev-comments @ nist.gov with "Comments on SP 800-56A (Revision)" in the subject line. The comment period closes on October 31, 2012. NIST Special Publication 800-56A Recommendation for Pair-Wise August 2012 Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision) Elaine Barker, Lily Chen, Miles Smid and Allen Roginsky C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes.
  • Guidelines on Cryptographic Algorithms Usage and Key Management

    Guidelines on Cryptographic Algorithms Usage and Key Management

    EPC342-08 Version 7.0 4 November 2017 [X] Public – [ ] Internal Use – [ ] Confidential – [ ] Strictest Confidence Distribution: Publicly available GUIDELINES ON CRYPTOGRAPHIC ALGORITHMS USAGE AND KEY MANAGEMENT Abstract This document defines guidelines on cryptographic algorithms usage and key management. Document Reference EPC342-08 Issue Version 7.0 Date of Issue 22 November 2017 Reason for Issue Maintenance of document Produced by EPC Authorised by EPC Document History This document was first produced by ECBS as TR 406, with its latest ECBS version published in September 2005. The document has been handed over to the EPC which is responsible for its yearly maintenance. DISCLAIMER: Whilst the European Payments Council (EPC) has used its best endeavours to make sure that all the information, data, documentation (including references) and other material in the present document are accurate and complete, it does not accept liability for any errors or omissions. EPC will not be liable for any claims or losses of any nature arising directly or indirectly from use of the information, data, documentation or other material in the present document. Conseil Européen des Paiements AISBL– Cours Saint-Michel 30A – B 1040 Brussels Tel: +32 2 733 35 33 – Fax: +32 2 736 49 88 Enterprise N° 0873.268.927 – www.epc-cep.eu – [email protected] © 2016 Copyright European Payments Council (EPC) AISBL: Reproduction for non-commercial purposes is authorised, with acknowledgement of the source Table of Content MANAGEMENT SUMMARY ............................................................. 5 1 INTRODUCTION .................................................................... 7 1.1 Scope of the document ...................................................... 7 1.2 Document structure .......................................................... 7 1.3 Recommendations ............................................................ 8 1.4 Implementation best practices .........................................
  • PUF Based Authentication Protocol for Iot

    PUF Based Authentication Protocol for Iot

    S S symmetry Article PUF Based Authentication Protocol for IoT An Braeken Vrije Universiteit Brussel, Pleinlaan 2, 1050 Brussel, Belgium; [email protected]; Tel.: +32-468-104-767 Received: 11 July 2018; Accepted: 11 August 2018; Published: 20 August 2018 Abstract: Key agreement between two constrained Internet of Things (IoT) devices that have not met each other is an essential feature to provide in order to establish trust among its users. Physical Unclonable Functions (PUFs) on a device represent a low cost primitive exploiting the unique random patterns in the device and have been already applied in a multitude of applications for secure key generation and key agreement in order to avoid an attacker to take over the identity of a tampered device, whose key material has been extracted. This paper shows that the key agreement scheme of a recently proposed PUF based protocol, presented by Chatterjee et al., for Internet of Things (IoT) is vulnerable for man-in-the-middle, impersonation, and replay attacks in the Yao–Dolev security model. We propose an alternative scheme, which is able to solve these issues and can provide in addition a more efficient key agreement and subsequently a communication phase between two IoT devices connected to the same authentication server. The scheme also offers identity based authentication and repudiation, when only using elliptic curve multiplications and additions, instead of the compute intensive pairing operations. Keywords: physical unclonable function; authentication; elliptic curve cryptography; internet of things 1. Introduction Internet of Things (IoT) is experiencing worldwide growth. Not only classical computing and communication devices are connected, but also a whole range of other gadgets that are used in our daily life, such as thermostats, light switches, door locks, refrigerators, etc.
  • On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK Feng.Hao@Thales-Esecurity.Com

    On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected]

    1 On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected] Abstract—This paper discusses public-key authenticated key Elliptic Curve Cryptography (ECC) [10]. Using ECC essen- agreement protocols. First, we critically analyze several authen- tially replaces the underlying (multiplicative) cyclic group ticated key agreement protocols and uncover various theoretical with another (additive) cyclic group defined over some elliptic and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized curve. The essence of the protocol remains unchanged. by IEEE P1363. The first attack presents a counterexample to The acute problem with the Diffie-Hellman key agreement invalidate the basic authentication in HMQV. The second attack is that it is unauthenticated [2]. While secure against passive is applicable to almost all past schemes, despite that many of attackers, the protocol is inherently vulnerable to active attacks them have formal security proofs. These attacks highlight the such as the man-in-the-middle attack [6]. This is a serious lim- difficulty to design a crypto protocol correctly and suggest the caution one should always take. itation, which for many years has been motivating researchers We further point out that many of the design errors are caused to find a solution [3]–[5], [7], [9], [11], [13], [20]. by sidestepping an important engineering principle, namely To add authentication, we must start with assuming some “Do not assume that a message you receive has a particular shared secret. In general, there are two approaches.
  • The Whole Is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based Akes Rafael Del Pino, Vadim Lyubashevsky, David Pointcheval

    The Whole Is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based Akes Rafael Del Pino, Vadim Lyubashevsky, David Pointcheval

    The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs Rafael del Pino, Vadim Lyubashevsky, David Pointcheval To cite this version: Rafael del Pino, Vadim Lyubashevsky, David Pointcheval. The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs. SCN 2016 - 10th International Conference Security and Cryptography for Networks, Aug 2016, Amalfi, Italy. pp.273 - 291, 10.1007/978-3-319- 44618-9_15. hal-01378005 HAL Id: hal-01378005 https://hal.inria.fr/hal-01378005 Submitted on 8 Oct 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. The Whole is Less than the Sum of its Parts: Constructing More Efficient Lattice-Based AKEs? Rafael del Pino1;2;3, Vadim Lyubashevsky4, and David Pointcheval3;2;1 1 INRIA, Paris 2 Ecole´ Normale Sup´erieure,Paris 3 CNRS 4 IBM Research Zurich Abstract. Authenticated Key Exchange (AKE) is the backbone of internet security protocols such as TLS and IKE. A recent announcement by standardization bodies calling for a shift to quantum-resilient crypto has resulted in several AKE proposals from the research community. Be- cause AKE can be generically constructed by combining a digital signature scheme with public key encryption (or a KEM), most of these proposals focused on optimizing the known KEMs and left the authentication part to the generic combination with digital signatures.
  • The Odd Couple: MQV and HMQV

    The Odd Couple: MQV and HMQV

    The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, I proposed by Menezes, Qu and Vanstone (1995), I improved with Law and Solinas (1998), I widely standardized (ANSI, ISO/IEC, IEEE), and recommended (NIST, NSA suite B). HMQV = variant of MQV, I proposed by Krawczyk (2005), I attacked by Menezes, I validity of attacks unclear. 2 / 49 References A. Menezes, M. Qu, S. Vanstone. Some new key agreement protocols providing implicit authentication. SAC’95. L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone. An efficient protocol for authenticated key agreement. Design, Codes, and Cryptography, 2003. H. Krawczyk. HMQV: A high-performance secure Diffie-Hellman protocol. CRYPTO’ 05. Full version on ePrint (2005/176). A. Menezes. Another look at HMQV. ePrint (2005/205). Journal of Mathematical Cryptology, 2007. A. Menezes, B. Ustaoglu. On the importance of public-key validation in the MQV and HMQV key agreement protocols. INDOCRYPT’06. 3 / 49 Road map PART I I Key agreement protocols I Elliptic curves I The MQV protocols PART II I The “insecurity” of MQV I HMQV I The “insecurity” of HMQV CONCLUSION 4 / 49 PART I 5 / 49 Key agreement protocols 6 / 49 Taxonomy From the HAC. Key establishment is a protocol whereby a shared secret becomes available to two or more parties, for subsequent cryptographic use. A key transport protocol is a key establishment technique where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s). A key agreement protocol is a key establishement in which a shared secret is derived by two (or more) parties as a function of information contributed by, or associated with, each of these, (ideally) such that no party can predetermine the resulting value.
  • NIST)  Quantum Computing Will Break Many Public-Key Cryptographic Algorithms/Schemes ◦ Key Agreement (E.G

    NIST)  Quantum Computing Will Break Many Public-Key Cryptographic Algorithms/Schemes ◦ Key Agreement (E.G

    Post Quantum Cryptography Team Presenter: Lily Chen National Institute of Standards and Technology (NIST) Quantum computing will break many public-key cryptographic algorithms/schemes ◦ Key agreement (e.g. DH and MQV) ◦ Digital signatures (e.g. RSA and DSA) ◦ Encryption (e.g. RSA) These algorithms have been used to protect Internet protocols (e.g. IPsec) and applications (e.g.TLS) NIST is studying “quantum-safe” replacements This talk will focus on practical aspects ◦ For security, see Yi-Kai Liu’s talk later today ◦ Key establishment: ephemeral Diffie-Hellman ◦ Authentication: signature or pre-shared key Key establishment through RSA, DHE, or DH Client Server ◦ RSA – Client encrypts pre- master secret using server’s Client RSA public key Hello Server Hello Certificate* ◦ DHE – Ephemeral Diffie- ServerKeyExchange* Hellman CertificateRequest* ◦ DH – Client generates an ServerHelloDone ephemeral DH public value. Certificate* ClientKeyExchange* Pre-master secret is generated CertificateVerify* using server static public key {ChangeCipherSpec} Finished Server authentication {ChangeCipherSpec} ◦ RSA – implicit (by key Finished confirmation) ◦ DHE - signature Application data Application Data ◦ DH – implicit (by key confirmation) IKE ◦ A replacement of ephemeral Diffie-Hellman key agreement should have a fast key pair generation scheme ◦ If signatures are used for authentication, both signing and verifying need to be equally efficient TLS ◦ RSA - encryption replacement needs to have a fast encryption ◦ DHE – fast key pair generation and efficient signature verification ◦ DH – fast key pair generation Which are most important in practice? ◦ Public and private key sizes ◦ Key pair generation time ◦ Ciphertext size ◦ Encryption/Decryption speed ◦ Signature size ◦ Signature generation/verification time Not a lot of benchmarks in this area Lattice-based ◦ NTRU Encryption and NTRU Signature ◦ (Ring-based) Learning with Errors Code-based ◦ McEliece encryption and CFS signatures Multivariate ◦ HFE, psFlash , Quartz (a variant of HFE), Many more….
  • Re-Authentication and Tracing the Node Movement

    Re-Authentication and Tracing the Node Movement

    박 ¬ Y 위 | 8 Doctoral Thesis 센서 $¸워l@ t동 통신망D 위\ 보H 0 연l Advanced Security Schemes in Sensor Networks and Mobile Networks \ 규석 (韓 -m Han, Kyusuk) 정보통신õY과 Department of Information and Communication Engineering \ m 과 Y 0 Ð Korea Advanced Institute of Science and Technology 2010 센서 $¸워l@ t동 통신망D 위\ 보H 0 연l Advanced Security Schemes in Sensor Networks and Mobile Networks Advanced Security Schemes in Sensor Networks and Mobile Networks Advisor : Professor Kwangjo Kim by Han, Kyusuk Department of Information and Communication Engineering Korea Advanced Institute of Science and Technology A thesis submitted to the faculty of the Korea Advanced Institute of Science and Technology in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Department of Information and Communication Engineering Daejeon, Korea 2010. 5. 24. Approved by Professor Kwangjo Kim Advisor 센서 $¸워l@ t동 통신망D 위\ 보H 0 연l \ 규석 위 |8@ \m과Y0 Ð 박¬Y위|8<\ Y위|8심¬ 위Ð회Ð서 심¬ 통과X였L. 2010D 5월 24| 심¬위Ð¥ @ 광 p (x) 심¬위Ð @ 대 영 (x) 심¬위Ð t 병 천 (x) 심¬위Ð \ P 8 (x) 심¬위Ð \ 영 ¨ (x) DICE \ 규석. Han, Kyusuk. Advanced Security Schemes in Sensor Networks and Mobile Networks. 센서 $¸워l@ t동 통신망D 위\ 보H 0 연l. 20055186 Department of Information and Communication Engineering . 2010. 113p. Ad- visor Prof. Kwangjo Kim. Text in English. Abstract Recent advance of wireless sensor network and mobile communication network tech- nologies bring several new issues such as the mobility of sensor nodes, the deployment of PKI. Moreover, the convergence of such different networks are one of rising issues.
  • BC FIPS Java Description

    BC FIPS Java Description

    The Bouncy Castle FIPS Java API 20 November 2015 1. Introduction The Bouncy Castle APIs (BC) divide into 3 groups: there is a light-weight API which provides direct access to cryptographic services, a provider for the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE) built on top of the light-weight API that provides access to services required to use the JCA/JCE, and another set of APIs which provide handling of protocols such as Cryptographic Message Syntax (CMS), OpenPGP, Time Stamp Protocol (TSP), Secure Mime (S/MIME), Certificate Management Protocol (CMP), as well as APIs for generating Certification Requests (CRMF, PKCS#10), X.509 certificates, PKCS#12 files and other protocol elements used in a variety of standards. The total code base, including porting code for different JVMs, is currently sitting at around 499,000 lines of Java. Overall, the design of the original BC APIs is such that the classes can be used to create objects which can be assembled in many different ways, regardless of whether it makes sense. This has given us a very agile API to work with, in the sense that it is easy to formulate new combinations of algorithms, modes, and padding types, as well as to define a wide variety of things like signature types. However the boundaries are loosely defined, and the agility results in widespread leakage – FIPS style programming requires specific paths to access cryptographic functions with defined boundaries between what's in the cryptographic world and what is not. For the purposes of many application developers using BC, the BC approach is either fine, or they are simply not aware of the potential issues as they only work at the JCA/JCE level or even at a higher level such as CMS or OpenPGP.
  • Recommendation for Key Management, Part 1: General Publication Date(S) January 2016 Withdrawal Date May 4, 2020 Withdrawal Note SP 800-57 Part 1 Rev

    Recommendation for Key Management, Part 1: General Publication Date(S) January 2016 Withdrawal Date May 4, 2020 Withdrawal Note SP 800-57 Part 1 Rev

    Withdrawn NIST Technical Series Publication Warning Notice The attached publication has been withdrawn (archived), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Withdrawn Publication Series/Number NIST Special Publication 800-57 Part 1 Revision 4 Title Recommendation for Key Management, Part 1: General Publication Date(s) January 2016 Withdrawal Date May 4, 2020 Withdrawal Note SP 800-57 Part 1 Rev. 4 is superseded in its entirety by the publication of SP 800-57 Part 1 Rev. 5. Superseding Publication(s) (if applicable) The attached publication has been superseded by the following publication(s): Series/Number NIST Special Publication 800-57 Part 1 Revision 5 Title Recommendation for Key Management: Part 1 – General Author(s) Elaine Barker Publication Date(s) May 2020 URL/DOI https://doi.org/10.6028/NIST.SP.800-57pt1r5 Additional Information (if applicable) Contact Computer Security Division (Information Technology Laboratory) Latest revision of the attached publication Related Information https://csrc.nist.gov/projects/key-management/key-management-guidelines https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final Withdrawal Announcement Link Date updated: May 4, 2020 NIST Special Publication 800-57 Part 1 Revision 4 Recommendation for Key Management Part 1: General Elaine Barker This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4 C O M P U T E R S E C U R I T Y NIST Special Publication 800-57 Part 1 Revision 4 Recommendation for Key Management Part 1: General Elaine Barker Computer Security Division Information Technology Laboratory This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4 January 2016 U.S.